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Scheideler has shown that peer-to-peer overlays networks can only survive Byzantine attacks if malicious nodes 
are not able to predict what is going to be the topology of the network for a given sequence of join and leave oper- 
ations. In this paper we investigate adversarial strategies by following specific games. Our analysis demonstrates 
first that an adversary can very quickly subvert DHT-based overlays by simply never triggering leave operations. We 
then show that when all nodes (honest and malicious ones) are imposed on a limited lifetime, the system eventually 
reaches a stationary regime where the ratio of polluted clusters is bounded, independently from the initial amount 



of corruption in the system. 
^ ] 1 Introduction 

00 : 

Q^ , The adoption of peer-to-peer overlay networks as a building block for architecting Internet scale systems has 
CO ' raised the attention of making these overlays resilient not only to benign crashes, but also to more malicious 
, failure models for the peers [3 [121 [13l [M] . As a result, Byzantine-resilient overlay systems have been proposed 
OO ' (e.g., O m H]). The key to achieve Byzantine resilience in a peer-to-peer overlay is to prevent malicious peers 
, from isolating correct ones. This in turn, can only be achieved if malicious peers are not able to predict what 
will be the topology of the overlay for a given sequence of join and leave operations. Hence, a prerequisite 
for this condition to hold is to guarantee that malicious nodes are well-mixed with honest ones, that is nodes 
' identifiers randomness is continuously preserved. Unfortunately, targeted join/leave attacks may quickly endanger 
, the relevance of such assumption. Actually by holding a logarithmic number of IP addresses, an adversary can very 
' easily and efficiently disconnect some target from the rest of the system. This can be achieved in a linear number of 
5^ I offiine trials [2] . Awerbuch and Scheideler [3] have analysed several ways to make overlay networks provably robust 
against different forms of malicious attacks, and in particular targeted join/leave attacks, through competitive 
algorithms. All these solutions are based on the introduction of locally induced churn to prevent the adversary 
from thwarting randomness. The same authors have shown that despite the high level of randomness introduced 
in each of these strategies, most of them are either incorrect, or they involve tight synchronization among nodes 
which becomes unbearable in the context we address, namely targeted and frequent join/leave attacks. The other 
proposed approach based on globally induced churn, enforce limited lifetime for each node in the system. However, 
these solutions keep the system in an unnecessary hyper-activity, and thus need to impose strict restrictions on 
nodes joining rate which clearly limit their applicability to open systems. 

In this paper we propose to leverage the power of clustering to design a practically usable solution that pre- 
serves randomness under an e-bounded adversary. Our solution relies on the clusterized version of peer-to-peer 
overlays combined with a mechanism that allows the enforcement of limited nodes lifetime. Clusterized versions 
of structured-based overlays are such that clusters of nodes substitute nodes at the vertices of the graph. Cluster- 
based overlays have revealed to be well adapted for efficiently reducing the impact of churn on the system and/ or 
in greatly reducing the damage caused by failures — assuming that failures assumptions hold anywhere and at any 
time in the system (TJ [9l [6] . 
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The contributions of the paper are two-fold. First we investigate adversarial strategies by following specific 
games. Our analysis demonstrates that an adversary can very quickly subvert cluster-based overlays by simply 
never triggering leave operations. We then show that when nodes are imposed on a limited lifetime and under the 
assumption that we are able to enforce the adversary to leave the system after expiration of its ID, the system 
eventually reaches a stationary regime where the ratio of polluted clusters is bounded. Second we propose a simple 
and generic mechanism to limit nodes lifetime in those systems. 

The remainder of this paper is as follows: In Section [2] we briefly describe the main features of cluster-based 
overlays, and propose a mechanism that enables the enforcement of limited nodes lifetime. In Section [31 we model 
adversarial behaviours through the use of games. We study the outcome of these games by using a Markovian 
analysis. In this section, we consider a non restricted adversary. Section [3] is devoted to the same study in the case 
of a restricted adversary. Finally, we conclude with future works. 

2 Cluster-based DHT Overlays in a Nutshell 

In this section we first present the common features of cluster-based overlays and then present different join/leave 
strategies whose long term behaviors are analysed in Section [3) 

Clusterized versions of structured-based overlays are such that clusters of nodes substitute nodes at the vertices 
of the graph. Nodes are uniquely identified with some m-bit string randomly chosen from an ID-space. Identifiers 
(IDs) are derived by using standard collision- resistant one-way hash functions (e.g., [10]). Each graph vertex 
is composed of a set of nodes self-organised within a cluster according to some distance metrics (e.g., logical or 
geographical). Clusters in the system are uniquely labelled. Size of each cluster is lower (resp. upper) bounded. The 
lower bound, named Smin in the following, usually satisfies some constraint based on the assumed failure model. 
For instance Smin > 4 allows Byzantine tolerant agreement protocols to be run among these Smin nodes [8]. 
The upper bound, that we call Smax, is typically in 0{logN), where N is the current number of nodes in the 
system, to meet scalability requirements. When a cluster size reaches these bounds, cluster-based overlays react 
by respectively splitting that cluster into two smallest clusters or by merging it with its closest cluster neighbours. 
Finally for most of the cluster-based overlays, operations (join, leave, merge, and split) are poly-logarithmic in 
the number of nodes in the system. 

In the present work we assume that at cluster level nodes are organised as core and spare members. Members of 
the core set are primarily responsible for handling messages routing and clusters operations. Management of the 
core set is such that its size is maintained to constant Smin- Spare members are the complement number of nodes 
in the cluster. In contrast to core members, they are not involved in any of the overlay operations. Rationale 
of this classification is two-fold: first it allows to introduce the unpredictability required to deal with Byzantine 
attacks through a randomized core set generation algorithm. Second it limits the management overhead caused by 
the natural churn present in typical overlay networks through the spare set management. 

Specifically we consider the following join and leave operations: 

• join(p): when a peer joins a cluster, it joins it as a spare member. 

• leave(p): When a peer p leaves a cluster either p belongs to the spare set or to the core set. In the former 
case, core members simply update their spare view to reflect p's departure, while in the latter case, the core 
view maintenance procedure is triggered. Two different maintenance policies are implemented. The first one, 
referred in the following as policy 1, simply consists in replacing the left core member by one randomly chosen 
spare member. The second one, referred as policy 2, consists in refreshing the whole core set by choosing 
Smin random peers within the cluster. 

For space reasons we do not give any detail regarding the localization of a cluster nor its creation/split /merge 
process. None of these operations are necessary for the understanding of our work. The interested reader is invited 
to read their description in the original papers (e.g. [Tl[ni[S]). 

2.1 Implementing a limited nodes lifetime 

To implement limited nodes lifetime, we propose to proceed as follows: Peers identifiers are generated based 
on certificates acquired at trustworthy Certification Authorities (CAs). Identifiers (denoted IDs) are generated 
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as the result of applying a hash function to some of the fields of a X.509 [7] certificate. To enforce all peers, 
including malicious ones, leaving and rejoining the system from time to time, we add a incarnation number to 
the fields that appear in the peer's certificate that will be hashed to generate the peer's ID. The incarnation 
number limits the lifetime of IDs. The current incarnation k of any peer is given by the following expression 
k = \{CT — IVT)~\ / IL, where IVT is the initial validity time of the peer's certificate, CT is the current time, and 
IL is the length of the lifetime of each peer's incarnation. Thus, the k*^ incarnation of a peer p expires when its 
local clock reads IVT + k * IL. At this time p must rejoin the system using its (fc + 1)*'' incarnation. The IVT 
is one of the fields in the peer's certificate and since certificates are signed by the CA, it cannot be unnoticeably 
modified by a malicious peer. Moreover, a certificate commonly contains the public key of the certified entity. This 
way, messages exchanged by the peers can be signed using this key, preventing malicious peers from unnoticeably 
altering messages originated from other peers in the system. Messages must contain the certificate of their issuer, 
so as to allow recipients to validate them. Therefore, at any time, any peer can check the validity of the ID of 
any other peers in the system, by simply calculating the current incarnation of the other peer and generating the 
corresponding ID. If some peer detects that the ID of one of its neighbours is not valid then it cuts its connection 
with it. Note that because clocks are loosely synchronised, it is possible that a correct peer is still using its ID 
for incarnation k when other correct peers would expect it to be in incarnation k + 1. To mitigate this problem, 
we assume that any correct peer may have two subsequent valid incarnation numbers, for a fixed grace window 
GW of time that encompasses the expiration time of an incarnation number (GW is the maximum deviation of 
the clocks of any two correct peers). More precisely, at any time t, both incarnation k and k' are valid, where: 
k = \{t- GW/2 - IVT)yiL, and k' = \{t + GW/2 - IVT)]/IL. Notice that this means that although at any 
time t each peer p has a single incarnation number that it uses to define its current ID, other peers calculate two 
possible incarnation numbers for p. These are frequently equal, but may differ when p's local time is close to the 
expiration time of its current/last incarnation. 

3 Modelling the adversarial strategy as a game 

In this section, we investigate the previously described policies (policy I and 2). We model adversarial behavior 
by focusing on specific games. Both games intend to prevent the adversary from elaborating deterministic strategies 
to win. These games are played in the following context. There is a potentially infinite number of balls in a bag, 
with a proportion fi of red balls and a proportion 1 — fj, oi white balls, fi being a constant in (0, 1). White (resp. 
red) balls are indistinguishable. Red balls are owned by the adversary. In addition to the bag, there are two urns, 
named C and S. Initially, c + s balls are drawn from the bag such that c of them are thrown into urn C, and the 
other s ones are thrown into urn S. We denote by Cr (resp. Sr) the number of red balls in C (resp. S). It is easily 
checked that Cr and Sr are independent and have a binomial distribution, i.e. for x — 0, . . . , c and y — 0, . . . , s, 
we have 

I>{Cr=X,Sr^y} - ]P{Cr=x}-p{Sr^y} 

This joint distribution represents the initial distribution of the process detailed below. Each game is a succession 
of rounds ri, r2, . . . during which the game rule described in Figure [1] is applied. Rules are oblivious to the colour 
of the balls, that is, they cannot distinguish between the white and the red balls. 

The goal of the adversary is to get a quorum Q of red balls in both urns C and iS so that the number of red 
balls in C is bound to continuously exceed [(c — 1)/3J. An intuition of why having more than [(c — 1)/3J red 
balls in urn C is necessary for polluting it is related to agreement problems in distributed systems in presence of 
Byzantine processes. The value of quorum Q is derived in the sequel. The adversary may at any time inspect both 
urns and bag to elaborate adversarial strategies to win the game. In particular it may not follow the rule of the 
games by preventing its red balls from being extracted from both urns. Specifically, at stage I of both games, if 
the drawn ball bo is red then the adversary puts back the ball into the urn from which it has been drawn. Stage 2 
is not applied, and a new round is triggered. Clearly this strategy ensures that the number of red balls in C U 5 is 
monotonically non decreasing. 

We model the effects of these rounds using a homogeneous Markov chain denoted hy X — {Xn,n > 0} repre- 
senting the evolution of the number of red balls in both urns C and S. More formally, the state space 5 of X is 
defined by S* = {{x,y) |0<a;<c, < y < s}, and, for n > 1, the event Xn = {x,y) means that, after the n-th 
transition or n-th round, the number of red balls in urn C is equal to x and the number of red balls in urn S is 
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/* First game */ 

/* stage 1 */ 

draw ball bo from C U <S 
/* stage 2 */ 

if 60 was in S then 
throw feo into the bag 
draw ball 62 from the bag 
throw it into <S 
else 

throw 60 into the bag 
draw ball fei from S 
throw it into C 
draw ball 62 from the bag 
throw it into S 



I* Second game */ 
/* stage 1 */ 

draw ball bo from C U <S 
/* stage 2 */ 
if 60 was in S then 
throw 60 into the bag 
draw ball 62 from the bag 
throw it into S 
else 

throw 60 into the bag 
draw c balls from <S U C 
throw these c balls into C 
draw one ball 62 from the bag 
throw it in <S 



Figure 1. Rule of the first and second game. 



equal to y. The transition probability matrix P oi X depends on the rule of the given game and on the adversarial 
behaviours. This matrix is detailed in each of the following subsections. In all the cases, the initial state Xq is 
given by Xq = (C^, S^) and its probability distribution is denoted by the row vector a which is given by relation 
©, i.e. a{x, y) = TP{Xo = {x, y)} = F{a = x,Sr= y}. 

We define a state as polluted if in that state urn C contains more than [(c — 1)/3J balls. In the following, we 
denote by c' the value [(c — 1)/3J. Conversely, a state that is not polluted is said safe. The subset of safe states, 
denoted by A, is defined as: A — {{x,y) | < x < c', < y < s}, while the set of polluted states, denoted by B, 
is the subset S — A, i.e. B — {{x, y) \ c' + 1 < x < c, < y < s} . We partition matrix P in a manner conformant 
to the decomposition of 5 = A U i?, by writing 

/ Pa Pab \ 
\ Pba Pb )' 

where Pa (resp. Pb) is the sub-matrix of dimension \A\ x \A\ (resp. \B\ x \B\), containing the transitions between 
states of A (resp. B). In the same way, Pab (resp. Pba) is the sub-matrix of dimension \A\ x \B\ (resp. \B\ x 
containing the transitions from states of A (resp. B) to states of B (resp. A). We also partition the initial 
probability distribution a according to the decomposition S — Ayj B^ by writing a — [a a o^b), where sub- vector 
a A (resp. as) contains the initial probabilities of states of A (resp. B). 



3.1 First game 



Regarding the first game, computation of the probabilities of the transition matrix is illustrated in Figure [H 
In this tree, each edge is labelled by a probability and its corresponding event following the rule of the game (see 
Figure [T|). This figure can be interpreted as follows: At round r, r > 1, starting from state (x; y) (root of the tree) 
the Markov chain can transit to four different states, namely (x; y), (x; y + 1), {x + 1; y), and {x + 1; y + 1) (leaves 
of the tree). The probability associated to each one of these transitions is obtained by summing the products of 

the probabilities discovered along each path starting from the root to the leaf corresponding to the target state. 

We can easily derive the transition probability matrix P of the Markov chain X chain associated to this game. 
For all X £ {0, . . . , c} and for all y G {0, . . . , s}, we have 

= ((^)(^) + (7T^))(^)'^ for,<.-l 
— j— j ( — — j -(1 - /x) for x < c- 1 and 2/ > 1 
f c \ f c — x\ y 

V(^,y),(^+i,y) = )[—;—) forx<c-i. 

In all other cases, transition probabilities are null. 

Clearly, the adversary wins the game when the process X reaches the subset of states B from which it cannot 
exit. Thus quorum Q ~ {{x, y) \ {x, y) G B}. with B the set of polluted states. By the rule of the game, one can 
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(»; v) 



(i>o e c) 



(.bo e s) 



(bo is red) 




(6q is white) 





(1,2 is white) 1 - /J / \n (1,2 is red) n/ \ 1 - ^ (62 is white) 1 - / \^ (62 is red) 




(« + l;a - l)(x + lis,) (x;y + l) (x; y) 



(x;v) (x;y + l) 



Figure 2. Transition diagram for the computation of the transition probability matrix P for the first game. 



never escape from these states to switch to safe states since the number of red balls in C is non decreasing. Thus 
there is a finite random time T after which the process X is absorbed within B. Thus we have Pba = 0. The 
Markov chain X is reducible and the states of A are transient, which means that matrix I — Pa is invertible, where 
/ is the identity matrix of the right dimension which is \A\ here. Specifically T, the time needed to reach subset 
B, is defined as T = inf{n > | X„ £ B}. The cumulative distribution function of T is easily derived as 



F{T<k} = l-aA{PA)''l, 



(2) 



where 1 is the column vector of the right dimension with all components equal to 1. The expectation of T is given 

by 

E{T) ^ aA{I - Pa)-'!, (3) 

3.2 Second game 

By proceeding similarly as above, we can derive the following transitions of process X associated to the second 
game. Briefly, when the game starts in state (x, y) at round r, it remains in state (cc, y) during the romid if cither 
ball 6o is red or 6o is white, and has been drawn from S, and 62 is white. It changes to state + 1) if 69 is 
white, it has been drawn from <S, and 62 is red. Finally the game switches to state {k,x + y — k + tj, where k is 
an integer k = 0, . . . , c' and £ = or 1 if 60 is white, it has been drawn from C, and the renewal process leads to 
the choice of k red balls. For all a; G {0, ... , c} and y £ {0, . . . , s}, we have 



P{x,y),(x,y+1) 
P(x,y),(x,y—1) 
P(x,y),(k,x+y — k) 

P(_x,y),{k,x+y-k+l) 



C + S 
C 



^ ixq(x, x + y-\)-\- (1 - P)l{x, x-\-y)^ + 



c 

s-y 



s 



c + s / c 



'-i^qix,x^-y) ■ 



M ) for y S: * ~ 1 



(^) + (^) (^'*) ^°'^2/>l 



(1 - n)q{k,x + y) 



c + s/ V c 

for max(0, x -\- y — s) <k < min(c, x + y) and k ^ x 

c — x^ 



IJ.q{k,x + y) 



c + s/ V c 

for max(0, x + y + \ — s)<k< min(c, x + y + \) and k ^ x 



where 



X + y\ /c + s - I - {x + y)\ 



q{x,x + y) 
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Figure 3. An aggregated view of the Markov chain associated to the second game. Safe states are represented by A, 
and polluted states by C and D. 



is the probability of getting x red balls when c balls are drawn, without replacement, in an urn containing x + y 
red balls and c + s — 1 — {x + y) white balls, referred to as the hypergeometric distribution. In all other cases, 
transition probabilities are null. 

In contrast to the first game, this game alternates between safe and polluted states. After a random number 
of these alternations the process ends by entering a set of closed polluted states. Indeed, by the rule of the 
game, one can escape finitely often from polluted state {x; y) to switch back to a safe state as long as (x; y) 
satisfies c' + l<x + y<s + c' (there are still sufficiently many white balls in both C and S so as to successfully 
withdrawing c balls such that C can be reverted to a safe state). However, there is a time T/j when state {x;y), 
with X + y > s + c' + l, is entered. From To onwards, going back to safe states is impossible. Thus at time To 
the adversary wins the game. Hence an interesting metrics to be evaluated is the total time spent by the process 
in safe states before being definitely absorbed in polluted states. 

Formally, we need to decompose the set B of polluted states into two subsets C and D defined by C = {{x; y) 
c' + l<x + y<s + c', c' + 1 <x <c, <y < s}, and D = {{x;y) \ x + y>s + c' + l, <y < s}. Subsets A and 
C are transient and subset D is a, closed subset. We partition matrix P and initial probability vector a following 
the decomposition oi S = AU C U D, by writing 




P= PcA Pc PcD and a = (a^ ac ao)- 



Figure [3] illustrates the states partition of the process X. 

We are interested in the random variable Ta which counts the total time spent in subset A before reaching 
subset D. Following the result obtained in [TT], we have, for every fc > 0, 

F{TA<k} = l~vG''l, (4) 

where v = a a + etc {I ~ Pc)~^ PcA and G = Pa + Pac{I ^ Pc)^^ Pc A- The expected total time spent in A is given 
by 

E{Ta) ^ v{I - G)-H. (5) 



Figure 4(a) compares the expectation of the time spent in safe states for both games. In accordance with the 
intuition, increasing the size of the urns augments the expected time spent in safe states of both games, i.e., E(T) 
and E(Ta), independently of the ratio of red balls in the bag. Similarly, for a given cluster size, increasing the 
ratio of red balls in the bag drastically decreases both E{T) and E{Ta)- However surprisingly enough, increasing 
the level of randomness (game 2 vs. game 1) does not increase the resilience to the adversary behavior since the 
first game always overpasses the second one in expectation. It is even more true when S size is large with respect 
to C one. The intuition behind this fact is as follows: when S size is equal to 1, both games are equivalent as 



illustrated in Figure 4(a) for s = 1. Now, consider the case where the size of S is large with respect to C one. First 
of all, note that the probability to draw a ball from S tends to 1, and because the adversary never withdraw its 
red balls from any urns, the ratio of red balls within S is monotonically non decreasing. Hence, the ratio of red 
balls in S tends also to 1. With small probability, a ball from C is drawn. In the first game it is replaced with high 
probability by a red ball drawn from S. Hence to reach a polluted state, at least c' white balls have to be replaced 
by red ones. While in the second game with high probability, the renewal of C reaches a polluted state in a single 
step. From this crude reasoning we can derive that the ratio of E{T) over E{Ta) tends to c'. 
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Figure 4. (a) Expectation of the number of rounds spent in safe states for games 1 and 2 function of S size and 
the ratio of malicious nodes /i as resp. given by relations (??) and (??). (b) Mean number of safe clusters E{N„) 
(relation (??)) in function of the rounds number n for both games and both kind of adversaries. There are 1=100 
clusters, and the ratio of red balls in the bag is equal to .25 and c = 7. Note that the initial number of safe clusters 
is equal to 16. 



4 Constraining the adversary 

Our next step is to evaluate the benefit of constraining the adversary by limiting the sojourn time of its balls 
in both urns, so that randomness among red and white balls is continuously preserved. In the model we propose, 
we assume that the adversary cannot p reve nt red balls from being withdrawn for both urns. 

By proceeding as in Sections 13. II and 13. 2) we can derive the transition probability matrix P for both games. For 
all a; G {0, ... , c} and ye {0, . . . , s}, the entries of P are given, for the first game, by 

_ xy + {c{s -y)- xs)(l - fj.) yfi + {s- y){l - n) 
P(^'y'>-^^'y^ (c + s)s c+s 
{x + s)y 

P(a^,y),(x.y-l) = ^ (1 - ^) for y > 1 

f c ~ X + s\ f s — y\ 
P(^,y),[^,y+1) = j[^-^j^^^ory<s-l 

(c — •^')y 

P{x,y),{x+l.y-i) = - m) for a; < c- 1 and J/ > 1 (6) 

(c — x)y 

P{x,y),(x + l,y) = -^^-p^M for Z < C- 1 

x{s — y) , 

P{x,y),(x-l,y) = ^ (1 -f^)forX>l 

x(s — y) 

P(x:y),(x-l,y+i) = ^ fJ. for X > I and y < s - 1. 

In all other cases, transition probabilities are null. Similarly for second game , for all x G {0, . . . , c} and y G 
{0, . . . , s}, we have 

_ xq{x, X + y ~ l)fi + [c - x)q{x, x + y){l- fj.) yfi + {s~ y){l - fj.) 

P(x,y),{x,y) — """^.Lo 
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P{x,y),(x,y-i) = + 1)(1 -At) H — {1 - IJ.) for y > 1 

c + s c + s 

c — X s ~ y 

P(x,y),{x,y+i) = — ; — q{x,x + y)IJ--\ ; — /lioryKs-l 

c + s c + s 

P(x,y),(k,x + y-k-l) = ^^^-JC^.^^ + S/ - - A') (7) 

for max(0, x + y — I — s)<k< min(c, x + y — 1) and k x 

P(x,y),(k,x + y-k) = — 7— '?(*:.3; + J/-l)/i+ ^— -^l}(fc,X + J/)(l-At) 

c + s c + s 

for max(0, x + y — s)<k< min(c, x + y — 1) and k ^ x 
c — X 

P(x,y),{k,x + y-k + l) = + y)fJ, 

for max(0, x + y + 1 — s)<k< min(c, x + y) and k ^ x, 

where we set q(u^ v) = when u > v. In all other cases, transition probabilities are null. 

It is not difhcult to see that none of the games exhibit an absorbing class of states (i.e., both games never ends). 
We have Pba 7^ and the process X is irreducible and aperiodic since at least one state has a transition to itself. 
The distribution of the time T needed to reach subset B is given, for every > 0, by 

T{T <k} = l-aAiPA)''l- (8) 

We denote by tt the stationary distribution of the Markov chain X. The row vector tt is thus the solution to 
the linear system 

TT = ttP and nl — 1. 

As we did for row vector a, we partition tt according to the decomposition S = AU B, by writing n = (tta t^b), 
where sub- vector tta (resp. ttb) contains the stationary probabilities of states of A (resp. B). 

Theorem 1 For both games 1 and 2, the stationary distribution tt is equal to a, i.e. for all x — 0, . . . ,c and 
y — 0, . . . , s, we have 

lim F{Xn = {x,y)} = a{x,y), 

n ^00 

which is given by relation {IJ). 

Proof. For space reasons, we omit the proof of the theorem. The interested reader is invited to read it in the 
Appendix. ■ 

Theorem [1] is interesting in two aspects. First it shows that the stationary distribution tt is exactly the same for 
both games, and second, that this distribution is equal to the initial distribution a. At a first glance, we could 
guess that this phenomenon is due to the fact that the Markov chain X is the tensor product of two independent 
Markov chains, representing respectively the evolution of the red balls in C and S. Although this is clearly not the 
case as the behavior of red balls in C depends on the behavior of red balls in S. This holds for both games. 

The stationary availability of the system defined by the long run probability to be in safe states is denoted by 
Psafe and is given by 



x=0 



This probability can also be interpreted as the long run proportion of time spent in safe states. Note that the 
stationary distribution does not depend on the size of S. 

Now let us consider that we have £ identical and independent Markov chains X^^^ . . . , AT^^^ on the same state 
space S = A\J{S\A\^ with initial probability distribution (3 and transition probability matrix P. The probability 
distribution j3 represents the state (0;0), i.e., the safest state. Each Markov chain models a particular cluster of 
nodes and, for n > 0, represents the number of safe clusters after the n-th round, i.e. the number of Markov 
chains being in subset A after the n-th transition has been triggered, defined by 



{xy'^eA}- 
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The t Markov chains being identical and independent, Nn has a binomial distribution, that is, for fc = 0, we 
have 



F{7V„ = fc} = Q (p{xWGA})'(i-p{xWeA} 



i-k 



and 



(/3P"U)'=(1-/?P"U) 



i;(iV„) =£/3P"1a, 



l-k 



where 1a is the column vector with the i-th entry equal to 1 if i G A and equal to otherwise. If N denotes the 
stationary number of safe clusters, we have, for A: = 0, . . . , £, 

P{A^ = fc} ~ (^) (tt^I)*' (1 — TT^l)^ ^ for a constrained adversary 

= for a non constrained adversary 

and 

E{N) — £tta1 for a constrained adversary 

= for a non constrained adversary 

These results are illustrated in Figure |4(b)[ We can observe that with a constrained adversary, the ratio of safe 
clusters tends to the same limit for both games, whatever the amount of initially safe clusters (less than a 1/4), 
while with a non constrained adversary eventually all the clusters get polluted. 



5 Conclusion 



In this paper, we have proposed a mechanism that enables the enforcement of limited nodes lifetime compli- 
ant with DHT-based overlays specificities. We have investigated several adversarial strategies. Our analysis has 
demonstrated that an adversary can easily subvert a cluster-based overlay by simply never triggering leave oper- 
ations. We have then shown that when nodes have to regularly leave the system, eventually this one reaches a 
stationary regime where the ratio of malicious nodes is bounded. 

For future work, we plan to implement this limited node lifetime mechanism in PeerCube to study its impact on 
the induced churn and its management overhead. We are convinced that this additional churn will be efficiently 
amortised thanks to the organisation of nodes in core and spare sets. 
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Appendix 



Theorem [T] For both games 1 and 2, the stationary distribution n is equal to a, i.e. for all x = 0, . . . , c and y = 0, . . . , s, 
we have 

lim ]P{X„ ^ {x,y)} = a{x,y), 

n >oo 

which is given by relation 

Proof. For both games, the Markov chain X is finite, irreducible and aperiodic so the stationary distribution exists and is 
unique. It thus suffices to show that for both games we have a = aP, i.e. for all i £ {0, . . . , c} and j £ {0, . . . , s}, we have 



{aP){i,j) = ^^a(u,u)p(„,„),(i,j-) = a{i,j). 



First of all, note that, from relation we have 



i,J-l) 



c-i + l)(j + \) 

»(i-m) 



for J < s — 1, 
for j > 1, 

for i > 1 and j < s — 1, 

for i > 1, 

for i < c — 1, 

for i < c — 1 and j > 1. 



For first game , the transition probability matrix P is given by relations ([6]). Using these relations and relations above, 
we obtain for i = 1, . . . , c — 1 and j = 1, . . . , s — 1, 

{aP){i,j) = a{i,j)p^,^j^^(i^j-) + a{i,j + l)P{«,j+i),(i,j) + a{i,j ~ i)P(i,j-i),(i,j) 



«jM + (c-i)(s-i)(l-M) j> + (s- j)(l-^) 



(c + s)s 



+ 



c + s 



(c + s)s 



c + s 



(c + s)s 



c + s 

When i — or i = c and j = or j = s we obtain the same result more easily. 

For second game , the transition probability matrix P is given by relations (O. For i = 1, . . . , c — 1 and j — l,...,s — 1, 
we have 



+ - 1) 



c + s 
is~j + 1)^ 



c + s 



E lt(l — /i) , . . 



c + s 



(u,t;)eSi4.j_i 



(ti,ii)SSi+3 + i 
It/i . . . (c— lt)(l— /i) 



■■^ — ' \ c + s c + s 



v)'-—^qil,t + J - I), 
c + s 
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where Si is the set defined hy Si = {{u,v) \ Q < u < c, Q < v < c and u + v = £}. Using the recurrence relations above on 
a and two variables changes u := u + 1 and m := u — 1, we obtain 

{aP){i,j) = a{i,j)—^+ V a{u,v)^^-^^q{i,i + j) 
c + s ^ — ' c + s 



r„ ,.^c5.. . \ci-s Ci-s y 



■"^ ' C + ■'! 



(u,v)eSi_|_j 



which leads to 



j(c + s - (i + j)) 



By definition of q{i, i + j), we have 
and by definition of a(M, v), we have 



and thus 



This leads to 



C + S \ _ ^y+s-(^+,)^^■^ . _|_ ^.^^^^^ + s - (i + j)) 



c + s (c + s)2(s-j) 

Again, by definition of q(i, i + j), we have 



y + j J s(c + s 



{c + s){s-j) 



which gives {aP){i,j) = ""^^^^^ + "^^2° = a{i,j). As for game 1, the result for frontier states is easier to derive. 



12 



Hamiltonian Mechanics 



Ivar Ekeland^ and Roger Temam^ 

^ Princeton University, Princeton NJ 08544, USA 
Universite de Paris-Sud, Laboratoire d'Analyse Numerique, Batiment 425, 
F-91405 Orsay Cedex, France 



Abstract. The abstract should summarize the contents of the paper 
using at least 70 and at most 150 words. It will be set in 9-point font 
size and be inset 1.0 cm from the right and left margins. There will be 
two blank lines before and after the Abstract. . . . 



1 Fixed-Period Problems: The Sublinear Case 

With this chapter, the preliminaries are over, and we begin the search for periodic 
solutions to Hamiltonian systems. All this will be done in the convex case; that 
is, we shall study the boundary-value problem 

X = JH'{t,x) 
x{0) = x(T) 

with H(t, •) a convex function of x, going to -t-oo when —>■ oo. 
1.1 Autonomous Systems 

In this section, we will consider the case when the Hamiltonian H{x) is au- 
tonomous. For the sake of simplicity, we shall also assume that it is C^. 

We shall first consider the question of nontriviality, within the general frame- 
work of {Aao, i3oo)-subquadratic Hamiltonians. In the second subsection, we shall 
look into the special case when H is (0, 6oo)-subquadratic, and we shall try to 
derive additional information. 



The General Case: Nontriviality. We assume that H is (yloo, -Boo)-sub- 
quadratic at infinity, for some constant symmetric matrices Aoo and Boo, with 
Boo — Aoo positive definite. Set: 

7 : = smallest eigenvalue of Boo — Aoo (1) 

A : = largest negative eigenvalue of + ^oo ■ (2) 

Theorem 21 tells us that if A + 7 < 0, the boundary- value problem: 

X = JH'{x) , . 

x{Q) = x{T) ^"^^ 



has at least one solution x, which is found by minimizing the dual action func- 
tional: 



Jo 



]^{A-\,u)+N*{-u) 



dt 



(4) 



on the range of A, which is a subspace R{A)\ with finite codimension. Here 



N{x) :=H{x) --{A^x,x) 



is a convex function, and 



(5) 



N{x)<-{{Boo-Aoo)x,x)+c Vx 
Proposition 1. Assume H'{0) = and H{0) = 0. Set: 

(5:=liminf2iV(a;)||a;|r^ . 
K— >o 

If 1 < ~^ < ^! the solution u is non-zero: 

x{t) ^0 Vt . 



(6) 



(7) 



(8) 



Proof. Condition (7) means that, for every 5' > 6, there is some e > such that 

(9) 



\\x\\<s^N{x)<^-\\xf 



It is an exercise in convex analysis, into which we shall not go, to show that 
this implies that there is an 77 > such that 



f\\x\\<V^N*{y)<^\\yf 



(10) 



Fig. 1. This is the caption of the figure displaying a white eagle and a white horse on 
a snow field 



Since ui is a smooth function, we will have < ij for h small enough, 

and inequality (10) will hold, yielding thereby: 

V(/i«i)<yi|K||^ + y^Kf . (11) 



If we choose 5' close enough to 5, the quantity {\-\- jr) will be negative, and 
we end up with 

^-){hui) < for /i 7^ small . (12) 

On the other hand, we check directly that ■i/'(0) = 0. This shows that cannot 
be a minimizer of ip, not even a local one. So u ^ and u ^ yl~^(0) =0. □ 

Corollary 1. Assume H is and {aoo,boo)-subquadratic at infinity. Let ^i, 
...,^N be the equilibria, that is, the solutions of H'{^) = 0. Denote by cok the 
smallest eigenvalue of H" (^fc), and set: 



u> := Min {oji, . . . ,u>k} 



If: 



2n 



6oo < -E 



T 



T 



(13) 
(14) 



then minimization ofip yields a non-constant T -periodic solution x. 



We recall once more that by the integer part E[a] of a G IR, we mean the 
a G 2 such that a < a < a + 1. For instance, if wc take Oqo = 0, Corollary 2 
tells us that x exists and is non-constant provided that: 



or 



Y'-<'<Y 



nr. , 27r 27r 

( — ,— 

LU boo 



(15) 



(16) 



Proof. The spectrum of yl is + Ooo- The largest negative eigenvalue A is 
given by + Qod, where 



27r, „ ^ 27r 

— fco + Ooo < < — (fco + 1) + ac 



Hence: 



ko = E 



T 



The condition 7 < —A < S now becomes: 



2n, 



floo < ~i^ko - aoo < w - Co 



which is precisely condition (14). 



(17) 
(18) 

(19) 
□ 



Lemma 1. Assume that H is on IR^"\{0} and that H" (x) is non-degenerate 
for any x ^ 0. Then any local minimizer x of tp has minimal period T. 



Proof. We know that x, or a; + ^ for some constant ^ G H is a T-periodic 
solution of the Hamiltonian system: 

X = JH'{x) . (20) 

There is no loss of generality in taking ^ = 0. So V(a^) > 4>{x) for all x in 
some neig hbourhood of x in VF^^^ (]R/TZ; IR^") . 

But this index is precisely the index irix) of the T-periodic solution x over 
the interval (0,T), as defined in Sect. 2.6. So 

irix) = . (21) 

Now if X has a lower period, T/k say, we would have, by Corollary 31: 

irix) = ikT/k{x) > kiT/k{x) + k-l>k-l>l. (22) 

This would contradict (21), and thus cannot happen. □ 

Notes and Comments. The results in this section are a refined version of [1]; the 
minimality result of Proposition 14 was the first of its kind. 

To understand the nontriviality conditions, such as the one in formula (16), 
one may think of a one-parameter family xt, T G (2ttliJ~^ ,2Trb^) of periodic 
solutions, xt{0) = xt{T), with xt going away to infinity when T 27ra;~^, 
which is the period of the linearized system at 0. 

Table 1. This is the example table taken out of The T^Xbook, p. 246 



Year 


World population 


8000 B.C. 


5,000,000 


50 A.D. 


200,000,000 


1650 A.D. 


500,000,000 


1945 A.D. 


2,300,000,000 


1980 A.D. 


4,400,000,000 



Theorem 1 ((Ghoussoub-Preiss)). Assume H{t,x) is {0,e)-subquadratic at 



infinity for all e > 0, and T-periodic in t 

H{t,-) is convex Mt (23) 

H{-,x) is T-pcriodic Vx (24) 

H(t,x) > n{\\x\\) with n{s) s^"^ ^ oo as s — > cxd (25) 

Ve>0, 3c : H{t,x) <^\\x\\^ +c . (26) 



Assume also that H is C^, and H"{t, x) is positive definite everywhere. Then 
there is a sequence Xk, fc € IN, of kT -periodic solutions of the system 

x = JH'{t,x) (27) 

such that, for every A; e IN, there is some S IN with: 

P > Po ^ Xpk Xk . (28) 

□ 

Example 1 ((External forcing)). Consider the system: 

X = JH'{x) + f{t) (29) 

where the Hamiltonian H is (0, 6oo)-subquadratic, and the forcing term is a 
distribution on the circle: 

f=j/ + fo with FGL2(]R/TZ;]R2n) ^ (30) 
where := T^^ f{t)dt. For instance, 

fit) =^Ski, (31) 

where Sk is the Dirac mass at t = k and ^ G M^" is a constant, fits the pre- 
scription. This means that the system x = JH'(x) is being excited by a series 
of identical shocks at interval T. 

Definition 1. Let Aoo{t) and B^oit) be symmetric operators mlR^", depending 
continuously ont£ [0, T], such that Aoo{t) < Boo{t) for all t. 

A Borelian function H : [0,T] x H^" ^ IR is called {A^,B^)-suhquadratic 



at infinity if there exists a function N{t,x) such that: 

H{t, x) = ^ ( {t)x, x) + N{t, x) (32) 

\/t , N{t, x) is convex with respect to x (33) 

N{t,x) > n{\\x\\) with n{s) s' ^ +oo as s ^ +oo (34) 

3ceIR: H{t,x) <^{B^{t)x,x) + c Vx . (35) 



If Aoo{t) = floe/ and Bocit) = baol, with Ooo < ^oo G IR, we shall say thai 
H is (ooo, boo)-subquadratic at infinity. As an example, the function \\x\\" , with 
1 < a < 2, is {0,e)-subquadratic at infinity for every e > 0. Similarly, the 
Hamiltonian 

H{t,x) = ^k\\kf + \\xr (36) 
is {k, k + e)-subquadratic for every £ > 0. Note that, if k <0, it is not convex. 



Notes and Comments. The first results on subharmonics were obtained by Ra- 
binowitz in [5] , who showed the existence of infinitely many subharmonics both 
in the subquadratic and superquadratic case, with suitable growth conditions 
on H' . Again the duality approach enabled Clarke and Ekeland in [2] to treat 
the same problem in the convex-subquadratic case, with growth conditions on 
H only. 

Recently, Michalek and Tarantello (see [3] and [4]) have obtained lower bound 
on the number of subharmonics of period kT, based on symmetry considerations 
and on pinching estimates, as in Sect. 5.2 of this article. 
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